Rogue Device Spotlight: SerialGhost



Popularity: 7
How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

The SerialGhost itself is a popular tool built for the serial port, an increasingly unpopular type of port. While still common, these devices are not as common as keyloggers or certain WiFi interception tools.


Simplicity: 9
The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

Another device that is designed for fairly beginner use, the SerialGhost can be bought online, set up and controlled with a Windows application, and has a full user manual online. While it does require a USB adapter, rogue devices really don’t get much easier than this.


Impact: 5
The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

As with any kind of interception device, the impact of the SerialGhost is entirely a function of what it is intercepting. While serial ports are not quite as common as other types of connections, and many won’t have useful information, the ones that do could cause fairly serious privacy breaches. However, data loss prevention systems may catch exfiltration at higher security organizations, making the SerialGhost’s wireless properties powerful but preventable.


SerialGhost Wi-Fi

Designed by KeeLog for protocol reverse engineering and data backup, the SerialGhost is a RS232 hardware logger capable of recording asynchronous communications up to 115200 bps. When placed between the host computer and the serial connected device, the SerialGhost transparently intercepts and stores both communication channels (RX and TX) to its internal flash, where they can later be retrieved via USB or over the wireless network. Powered either by the host computer’s USB port or an external power supply, the SerialGhost can be left deployed indefinitely, requiring only periodic attention to collect its stored data and clear the internal memory.

While serial connected devices may no longer be a common sight in the average office, they are widely used in fields which depend on highly reliable low-bandwidth communications, such as industrial automation or point of sale systems. Being able to record and then analyze the data being passed between the serial device and computer can reveal a wealth of valuable information. This kind of information can enable rogue actors to do things like reverse engineering control software used to command robotic hardware, or capture data from barcode scanners.


Hardware Highlights:

  • Dimensions: Approximately 2 inches long
  • Radio: Supports WPA/WPA2/WEP
  • Storage: 2 Gigabyte storage capacity
  • OS: No drivers or software needed
  • I/O: Powered by USB or external adapter
  • Other: Internal battery for data retention





Notable Features:

One of the biggest improvements in the newest version of the device is the ability to collect data without needing to physically collect from or even interact with the SerialGhost after it has been installed. Unlike previous versions, which required the user to download the captured data over USB, a SerialGhost with uninterrupted power and Internet access can remain in place for as long as the user wishes.

In addition, the device is built to be used by a variety of users with differing levels of expertise. While KeeLog does offer a Windows application to control the SerialGhost and aid in downloading data, the software isn’t required. Setup of the device can be done with a plain-text configuration file located on its internal storage, and data can be collected by giving the SerialGhost an email address to which it will periodically send capture files. Sending capture files out as emails is an excellent example of “hiding in plain sight.” While this method will most likely set off red flags in security conscious institutions with a data loss prevention system, it provides another convenient route for exfiltrating data from an organization.

A major drawback: if the user wishes to use the SerialGhost’s USB mode (such as for the first time configuration, or where an Internet connection is not viable), a special adapter is required. Despite having a standard USB cable attached, without the adapter, the SerialGhost is only able to get power over the USB port. Having to carry around the adapter is an added complication which may be an issue for some.



The SerialGhost’s small form factor, invisibility to the host operating system, and connectivity features make it perfect for covert use and long deployments. That said, serial data devices are no longer quite common in the average network, relegating the SerialGhost to something of a niche device.

However, this niche still holds some exceptionally important data that can often be overlooked from a security standpoint. As with many of the most effective attacks, these devices take advantage of an almost “legacy” technology and can be overlooked in regular audits in favor of the security and networking tools that are more recent or considered more interesting. They are still used for networking equipment, GPS receivers, Point of Sale Devices, AV components, and others. Most of the stenography machines used by the courts use serial ports, opening up a host of issues there. While locking down modern equipment and security procedures is important, the right target could make the SerialGhost a devastating tool.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *